PIX515 - VPN Not Configured Correctly

[plexter]

Hello all,

I have been trying to configure remote access VPN for quite some time now. I just don't get it.

I would prefer to do this through the GUI but any help is very much appreciated.

My problem is that after creating a remote access connection and then connecting via Cisco VPN client. I can not browse anywhere. I notice the default gateway assigned to the client is 10.200.53.1 does this even exist?? --I never specified this!

My end goal is to allow remote access VPN in to any internal network behind the PIX as well as using the PIX's internet connection for external requests.

I would rather someone just walk me through from start to finish instead of posting my config. Right now I have my general setup without VPN settings so it would be nice to start from a clean VPN-less configuration.

Please let me know if you can help.
Thanks a bunch!

 

[BAsh12]

can you ping anything once connected?

You will not be able to browse the network, it is not allowed by design.

If you can ping once connected you have been successful, if not you have some work to do. Can you post your config so I can see what may be wrong?

 

[plexter]

Hello Bash,

Thank you for replying.

Pix firewall configuration

PIX Version 7.2(1)
!
hostname hostname
domain-name domain.com
enable password srh5S8qp66/agSJ1Zk encrypted
names
!
interface Ethernet0
 nameif OUTSIDE
 security-level 0
 pppoe client vpdn group internet1
 ip address pppoe setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.35.2 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 1hFStnN2d6IF2K?OZ encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
access-list OUTSIDE_access_in remark SSH TO OBSD STARTED
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq [URL unfurl="true"]www log[/URL] notifications
access-list inside_nat0_outbound extended permit ip any 10.200.53.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
ip local pool VPNPOOL 10.200.53.10-10.200.53.20 mask 255.255.255.0
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,OUTSIDE) tcp interface [URL unfurl="true"]www 192.168.35.1[/URL] ssh netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
route inside 10.100.10.0 255.255.255.0 192.168.35.1 1
route inside 10.200.51.0 255.255.255.0 192.168.35.1 1
route inside 10.200.52.0 255.255.255.0 192.168.35.1 1
route inside 10.200.50.0 255.255.255.0 192.168.35.1 1
route inside 172.16.25.0 255.255.255.0 192.168.35.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 dns-server value 10.100.10.2 10.200.50.1
 vpn-tunnel-protocol IPSec
 default-domain value domain.gotdns.com
username user1 password CaoFsf7C2tqiK9tT2 encrypted privilege 0
username user1 attributes
 vpn-group-policy VPN
http server enable
http 192.168.35.0 255.255.255.0 inside
http 10.200.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map OUTSIDE_dyn_map 20 set pfs
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group internet1 request dialout pppoe
vpdn group internet1 localname username
vpdn group internet1 ppp authentication pap
vpdn username username password *
dhcpd address 192.168.35.3-192.168.35.254 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8ff0f15ca3318fd16s893c0sc498d22k9
: end

VPN Host Address (ipconfig)

Ethernet adapter Local Area Connection 2:        
Connection-specific DNS Suffix  . : domain.gotdns.com        
Description . . . . . . . . . . . : Cisco Systems VPN Adapter        
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00        
Dhcp Enabled. . . . . . . . . . . : No        
IP Address. . . . . . . . . . . . : 10.200.53.10        
Subnet Mask . . . . . . . . . . . : 255.255.255.0        
Default Gateway . . . . . . . . . : 10.200.53.1        
DNS Servers . . . . . . . . . . . : 10.100.10.2                                            
				    10.200.50.1

I should be able access services from within my network that would be the whole point of VPN

Right now I cannot browse the internet nor anything else. As I said I am looking to be able to VPN in and be able to access services/internal network and have the VPN make use of the internet through the PIX. This is the same config as I have seen elsewhere.

Please let me know. Thank you very much!

 

[NetworkGhost]

Try adding this to the config:

sysopt connection permit-vpn


Allows ACL bypass for VPN traffic

http://www.wr-mem.com

 

[plexter]

Nope did not seem to change anything. I believe that command was already in place as I recall selecting the option during the initial configuration from the GUI.

Thanks

 

[BAsh12]

I think I know what is wrong.

You haev a NAT 0, but you are not allowing access to the VPN client.

Lets work on this slowly, and then test each time.

I would also upgrade to 8.03, much better than 7.2.1, it has lots of holes:-

Here goes-


no access-list inside_nat0_outbound extended permit ip any 10.200.53.0 255.255.255.224 (tidied up a bit)


no nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list nat0

group-policy VPN internal
group-policy VPN attributes
banner value You are accessing the network of "Your Company Name". Access to this network is restricted to authorised personnel only. By clicking 'Continue' you confirm that you have been given prior permission to access this network. Any unauthorised attempt to access this network will be investigated and where appropriate you will be prosecuted to the full extent of UK and International laws.
wins-server value "your wins address"
dns-server value "your dns server addess"
vpn-idle-timeout 120
vpn-session-timeout 1440
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp enable
group-lock value VPN
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-list
default-domain value "your company domain"


crypto ipsec transform-set aes-256 esp-aes-256 esp-sha-hmac
(This is a change, much stronger and less CPU intensive on both firewall and client)

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set aes-256
crypto dynamic-map OUTSIDE_dyn_map 20 set security-association lifetime seconds 28800



crypto isakmp policy 10 (It should negotiate this first, it is stronger, if not it will fall to policy 20)
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp enable outside (I know you have this set already)

tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
address-pool VPNPOOL
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *


tunnel-group "this is mine" type remote-access "All this lot works in Version 8"
tunnel-group "this is mine" general-attributes
address-pool vpn-client
authentication-server-group siclradius
default-group-policy "this is mine"
strip-realm
password-management
strip-group
tunnel-group sicl ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 2





policy-map global_policy
class inspection_default

no inspect esmtp (this can cause you email issues, I would remove it)


Keep me informed, the VPN stuff should just work, let em know if you have any problems with.

If you want to work on this from the outside, let me know and we can set ssh up tied down to your home dsl address.

 

[plexter]

Hi,

I tried inputting those commands but the the nat ones did not work.

no nat (inside) 0 access-list inside_nat0_outbound
ERROR: access-list inside_nat0_outbound not bound nat 0

nat (inside) 0 access-list nat0
{just shows NAT command syntax}

BTW do you have said IOS 8.x? I would upgrade if you could send me it?

Thanks

 

[BAsh12]

no access-list inside_nat0_outbound extended permit ip any 10.200.53.0 255.255.255.224

I cut and pasted a lot more than has apperared.

Try the one below, hopefully you have the object-groups defined?

if not:-

object-group network vpn-client
network-object 10.200.53.0 255.255.255.224

objevt-group all-subnets
network-object 0.0.0.0 0.0.0.0

access-list nat0 permit ip object-group all-subnets o bject-group vpn-client

 

[plexter]

Hi again,

I tried inputting those commands however I was getting some errors such as the one below.

Result of the command: "split-tunnel-network-list value split-list"

ERROR: access-list <split-list> does not exist

Would it be possible if I were to load my configuration from before I setup the VPN could we start from the initial setup of the remote access vpn?

Thanks

 

[BAsh12]

If you want, I will configure remotely for you, that way we can test as we go along, can even get you up to version 8.

Let me have your email address and I will send you my contact details direct.

Let me know what you want me to do

By the way, that access list did exist but disappeared when I pasted.

 

[BAsh12]

Oh, and do not worry about the split list for now, it should work for now, they just won't get Internet access to start with.

 

[plexter]

I don't think I really feel all that comfortable with allowing external access.

I would however like to upgrade to 8.x if you wanted to put the file (asdm also?) up on one of those free file hosting sites I would be happy to download it and upgrade.

Maybe that would help solve my problems?

 

[plexter]

Okay well is there anyone here willing to help without trying to access my device?

 

[BAsh12]

The above should work.

do a "debug crypto isakmp 128"

"term mon"

and then monitor what goes on.

 

[plexter]

Hello again,

I am remote right now so I cannot configure the PIX.

However could you send me the IOS files for 8.x so I can upgrade?

Also I am not sure what the debug will do as I never had any problem connecting to the VPN. I just have problems doing anything afterward (cant browse anywhere).

Please let me know.
Thanks

 

[BAsh12]

Can you ping anything?

If yes can you manually map a drive?

If yes, then it is working, browsing is not permitted over VPN.

 

[plexter]

No I cannot ping anything.

So is it possible for you to give me the 8.x ios?

 

[BAsh12]

Not allowed to do that, sorry.

You have to have a Smartnet with Cisco.

It is illegal.

 

[plexter]

I see...


Well I will try and reconfigure the PIX again and see what happens.

 

[plexter]

Okay I have upgraded and reconfigured.

VPN seems to be working a lot better. I can now access internal network devices.

HOWEVER! I am unable to browse the internet while connected to the VPN. Does anyone know what could be wrong?

Please take a look at my configuration.

PIX Version 8.0(2) 
!
hostname **
domain-name **
enable password ** encrypted
names
!
interface Ethernet0
 nameif OUTSIDE
 security-level 0
 pppoe client vpdn group **
 ip address pppoe setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.35.2 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd ** encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name **
access-list OUTSIDE_access_in remark SSH TO OBSD STARTED
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq [URL unfurl="true"]www log[/URL] notifications 
access-list inside_nat0_outbound extended permit ip any 10.200.53.0 255.255.255.224 
access-list Split_Tunnel_List standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
ip local pool VPNPOOL01 10.200.53.10-10.200.53.20 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,OUTSIDE) tcp interface [URL unfurl="true"]www 192.168.35.1[/URL] ssh netmask 255.255.255.255 
access-group OUTSIDE_access_in in interface OUTSIDE
route inside 10.100.10.0 255.255.255.0 192.168.35.1 1
route inside 10.200.50.0 255.255.255.0 192.168.35.1 1
route inside 10.200.51.0 255.255.255.0 192.168.35.1 1
route inside 10.200.52.0 255.255.255.0 192.168.35.1 1
route inside 172.16.25.0 255.255.255.0 192.168.35.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.200.50.0 255.255.255.0 inside
http 192.168.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 18000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ** request dialout pppoe
vpdn group ** localname **
vpdn group ** ppp authentication pap
vpdn username ** password ** 
dhcpd address 192.168.35.3-192.168.35.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy VPN01 internal
group-policy VPN01 attributes
 dns-server value 10.100.10.2 10.200.50.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value **VPN
username ** password ** encrypted privilege 0
username ** attributes
 vpn-group-policy VPN01
tunnel-group VPN01 type remote-access
tunnel-group VPN01 general-attributes
 address-pool VPNPOOL01
 default-group-policy VPN01
tunnel-group VPN01 ipsec-attributes
 pre-shared-key *

PLease let me know thanks a lot!